Vapi: Earlier this monsoon, when Arif, 26, who works as a Data management in a transport company in Vapi. he decided to sell his Sofa set. Like many others, he listed his Sofa set on an online classifieds portal for sale. However, instead of successfully selling his Sofa set, he ended up learning some tactics from a fraudster. just before they fraud him or we can say it was his luck.
Soon after he listed his Sofa set, Arif got a call from a prospective buyer claiming to be working for the armed forces and being stationed at a border area in Mumbai. As the negotiation progressed, Arif tried to ascertain the identity of the person through Truecaller. “I checked his name on Truecaller and it was the same that he told me, so I was kind of satisfied," Arif said.
The person told Arif that he was going to transfer him the money right away and his wife would come later and collect the Sofa set. Arif agreed. The caller told Arif to enter his UPI (
Unified Payment Interface) ID in the Paytm app on his phone. The minute Arif did that, he got a message from his bank, informing him that transaction declined due to low balance. He called the person to figure out what happened and was told that something went wrong and that Arif should try doing it again. He tried again, and then again. After the third attempt, Arif realized he was getting conned. What he was entering was not his UPI ID but his UPI PIN,
authorizing payment to the fraudster.
Over the past few weeks, payment apps such as Paytm, Google Pay that provide a platform for UPI transactions, online classifieds portals such as
OLX have been witnessing a stream of similar complaints. Many of these complaints are being made public through social media. What is striking is that UPI, in fact, one particular feature in UPI, is being used by the fraudsters in different ways.
New tactics
The most common UPI fraud right now is the one that Arif faced. UPI has a feature wherein an individual or a merchant can send the user a request to collect money. The user needs to authorize the transaction using a security PIN. This PIN is like an ATM PIN and not a uniquely generated one-time password OTP. In the case of Arif, when the fraudster was asking for his UPI ID, he was actually nudging his victim to input the PIN, which makes the transaction go through. This is the first and most common variation of misuse of the “request money" feature in UPI at present.
Another way, said Anuj Bhansali, head, fraud and risk at PhonePe, is for the fraudster to call the user claiming to be a representative of some platform and offer a cashback. The user is nudged to enter the PIN through the collection request and the money gets debited from the victim’s account. Basant Shroff, partner and technology risk leader at EY, said this technique is also being used by fraudsters to defraud card users. The difference is that the user needs to share the
OTP for a card transaction. “The fraudster calling you does not use the term ‘OTP’ but says that it is a code that you need to share to get the cashback (though the message does mention OTP)," he said.
In the UPI ecosystem, some fraudsters get reported by alert users and get blocked by the payment platforms, but a lot of them get away. “What happens is that the fraudster will make a purchase on an online platform and enter your UPI VPA (virtual payment address) in the mode of payment. You will get the collect request. If you enter your PIN at this stage, you have paid for someone’s else’s online purchase. It is not rampant, but we have come across some such cases," Bhansali said.
Another method fraudsters are using is spreading fake customer care numbers for banks or UPI platforms. When a user calls these numbers, fraudsters extract sensitive information from them.
How to avoid online fraud
Dos
■ Read transaction SMSes, pop-ups and descriptions closely
■ Know the difference between an ID, PIN, and OTP
■ Alert your service provider to potential spam and fraud
■ Be skeptical of someone calling you and offering freebies like cashbacks
Don’ts
■Never share PINs and OTPs
■Never share identifiable information on public forums that can be misused
■Don’t click on random links offering freebies or asking for verification
■Don’t enter a PIN to receive money on any platform